A practical guide to managing your AML/CTF Risk

BNDRY
Desg
Published
16 Oct 2025

Highlights

  • AUSTRAC is implementing Tranche 2 AML/CTF reforms to new industries.
  • Why businesses are integral in the fight against financial crime.
  • How technology helps alleviate compliance obligations.

Tranche 2 is (pretty much) here…

If you’re reading this, you’re likely aware that Australia is implementing the Tranche 2 Anti-Money Laundering / Counter-Terrorism Financing (AML/CTF) reforms and as of 31 March 2026, businesses providing designated services (those recognised as being exposed to exploitation for money laundering) will need to register and begin complying with the new legislation.


Beyond legal obligations, being unprepared for Tranche 2 can damage your businesses overall reputation, from eroding client trust to attracting undesirable customers. It’s smarter to put the hard yards in now for long-term security and client trust.


Now let’s assume we’re all on the same page and agree:

  • Tranche 2 is a big change and a long time coming (since 2009).
  • The implications of getting this wrong can be very serious.
  • Whether you’re aiming for the March or July 2026 deadline, those dates aren’t when you start getting ready, it’s when you need to be ready.
  • You’ve still got a business to run day-to-day, this shouldn’t get in the way of that.
  • You’ll need 6-9 months to get your AML/CTF program sorted.
  • We should behave like Tranche 2 is already here.


So… what do you actually need to do?


To help with that question, we’ve written a five part guide on the steps your business will need to take and ways to implement them.

  1. Understanding Your Business
  2. Knowing Your Customers
  3. Monitoring Your Customers
  4. How to Report to AUSTRAC
  5. Storing and Managing Customer Data

Part 1: Understanding your business – risk assessment and dodgy data

Of course you understand what your business does already, but how well do you know the ways in which your business can be targeted by bad actors? Or ways to stop them? What about how you prevent them from targeting you in the first place and the steps to take if something bad does happen?


Understanding the key areas of your own business that are subject to attack, targeting, exploitation and all manner of corruption is critical to working out what changes you’ll need to make, any gaps you have and how to demonstrate that you’re playing your part in the fight against financial crime.


AUSTRAC (Australian Transaction Reports and Analysis Centre) expects regulated industries to capture all areas of Money Laundering / Terrorism Financing (ML/TF) risk, from customers, delivery and channel risks through to products. A risk assessment is a key process to identify, manage and mitigate potential threats across all business functions. It plays both a crucial role in maintaining regulatory compliance and in establishing a strong framework for scalable and sustainable growth.


Assessing your business's AML/CTF risks includes but is not limited to:

  • Reviewing customer types.
  • Assessing whether products and services are scaling with growth.
  • Checking affiliated geographic locations for any regulatory changes or loopholes.
  • Understanding exactly how you deliver services to your customers.


Screening company data is a smart step toward establishing a solid risk assessment and the best way to discover if any weak areas exist within systems and processes.


As Jeremy Moller, a well-known risk advisory lawyer in Australia, says, “businesses must check their data now”, waiting until the reforms are live is too late. Understanding your company data – what information you gather and from where, how it’s stored, used and shared, and ensuring your data is up-to-date – is a vital first step.


This task is usually the responsibility of a risk and compliance officer (or similar), but what if your business has never had to deal with regulatory compliance before? This is where technology and automation are the super heroes. Businesses need to review their systems, processes and technologies to assess if they’re up to the task for reporting obligations, or whether they need to be updated. If resources are tight, especially around recruitment, upgrading software to automate compliance obligations is a cost-effective solution to start your AML/CTF procedures.

The data cleanse

Think of your business like an ecosystem where each component needs a certain level of nurturing and attention. If there's an aspect of the environment that's neglected, weeds find their way in and begin destruction from the inside. Data can be that overlooked component where insidious breaches occur that may not be detected until it's too late. This is why it’s important to check and “cleanse” your data regularly ensuring every component of your business is up-to-date to streamline AML/CTF obligations and related processes.


Data checklist:

  • Is your client list still up-to-date?
  • Is the right information captured against them?
  • Is your company data stored in the correct place?
  • Do you have a solid Know Your Customer (KYC) process in place?
  • Do you have reliable PII protection?
  • Are you monitoring your customers’ transactions against financial crime?


Qing Liu, Moody's Senior Director of Compliance & Third Party Risk in Australia, emphasises how businesses need to ensure their data is up-to-date to mitigate risk, and the best way to do this is “to leverage technology”. The right technology helps identify what is needed, what needs to go and what is required. While traditional compliance processes are bogged down by manual forms, email chains and siloed data, technology automates and simplifies data governance and ensures it is current, securely held and safely transferred.


AUSTRAC expects any suspicious activity to be reported, so your systems need to be set up to flag any dodgy transactions. If you’re a designated service and suspect a customer isn’t who they appear to be, a Suspicious Matter Report (SMR) needs to be sent to AUSTRAC so they can investigate further. Your report could be the key to solving a serious financial crime.

Who’s responsible?

As mentioned previously, data protection and regulatory compliance traditionally falls under the role of a risk and compliance officer, but the responsibility is company wide and all staff need to be trained on what to look out for and who to notify if something doesn’t look right. A training program should be implemented now to get everyone up-to-speed before the deadline, and to allow enough time to practice new skills around regulatory obligations.


Some key areas in your training program should include understanding:

  • The obligations under the AML/CTF Act and Rules.
  • The consequences of non-compliance.
  • Types of AML/CTF risk the business might face and consequences of such risk.
  • AML/CTF processes and procedures employees must carry out.
  • What to do when employees form a suspicion.


Fighting financial crime shouldn’t interrupt business-as-usual, but be an integral part of business workflows, and maintaining a regular data cleanse helps ensure your risk assessment is performed with as much ease and accuracy as possible. In short, start your AMLF/CTF program by checking your data, then performing a risk assessment.

Part 2: Knowing Your Customers – the key to financial crime detection

KYC or IDK?

Whether real estate agents, accountants, lawyers or gaming venues, collecting customers' personal information is a normal function of business operations. In doing so, businesses hold a certain level of responsibility to protect their customers' data. This is known as Know Your Customer (KYC).

But how well do you really know your customers? Because “I don't know?” won't cut it when AUSTRAC’s new regulatory reforms roll out. You may have the necessary information to perform transactions on someone’s behalf, but what are those transactions for, where do they end up and for whom?

The upcoming regulatory changes are targeted to Designated Non-Financial Businesses and Professions (DNFBPs) and if your business falls under this category, you’re required by law to abide by the new Tranche 2 reforms. DNFBPs are now being treated like financial institutions in the eyes of regulators. Why? Because criminals treat them that way: as conduits for laundering illicit funds.

What are the CDD obligations?

While a certain level of customer identification no doubt already exists in your business, it may need levelling up to meet regulatory obligations. As a reporting entity, customer identification procedures need to be applied to all your customers because you’ll need to know who you’re dealing with, both customers and visitors, including any individuals closely associated with Politically Exposed Persons (PEPS).


Part A of your AML/CTF program should cover Ongoing Customer Due Diligence (OCDD) procedures, including transaction monitoring and Enhanced Customer Due Diligence (ECDD) procedures, while Part B of your program should focus only on KYC procedures.


The Amendment Act will require DNFBPs to conduct initial CDD to:

  • Collect and verify information about the identity of a customer.
  • Understand potential risks in providing designated services to that customer.


Standard customer screening processes do already exist to achieve the new CDD obligations.


Review the following steps against your current processes:

  • Capture and verify personal identification (e.g. from driver’s licence, passport or government-issued proof of age card). The best way to do this is by plugging into a digital Document Verification Service (DVS).
  • Screen customers against PEPs and Sanction lists. As part of your AML/CTF program, you need to show how PEPs are identified through ECDD and what steps are taken when dealing with them.
  • Assign a risk category to each customer (low, medium, or high).
  • For higher-risk individuals, conduct full KYC checks to verify their details, which may include facial recognition and address verification.
  • Monitor customer transactions to identify behaviours that may signal suspicious activity or that increase the customer risk profile.

PEP talk

You need to have risk-based procedures in place to identify whether an individual customer or beneficial owner is a PEP. You must carry out customer identification and verification procedures to identify the PEP before offering a designated service.


AUSTRAC notes these procedures may include:

  • Asking a customer if they are a PEP during onboarding.
  • Checking a customer on the internet, including sanctions lists and social media.
  • Using databases and reports from third parties or businesses that analyse corruption risks.


If you’re still a little foggy on how to deal with PEPs, you can visit AUSTRAC for further guidance.


If any suspicious activity is flagged, it must be reported to AUSTRAC as soon as possible to determine whether your customer poses a financial crime risk. Knowing who your customers are (as much as protocol dictates) is a vital part in protecting your business from bad actors using your services to launder illicit funds. Meanwhile, having systems set up to do the grunt work around digital identity verification is how a lot of designated services are responding to this regulatory obligation.

Part 3: Monitoring Your Customers – it’s about intelligence, not tick-box compliance

Are Compliance Officers the new Private Investigators?

Perhaps not, but reporting entities should treat compliance as intelligence gathering, not just a regulatory requirement. When you truly understand your customers and their needs, managing your compliance obligations becomes smarter, faster and far more effective. The good news is businesses don’t have to figure it out all by themselves. Assigning some of the compliance procedures to a third party simplifies regulatory tasks.


A CDD arrangement can be agreed to with an external business whose systems are already regulated under the AML/CTF Acts. Leveraging technology where it doesn’t interfere with gathering intelligence and monitoring data, eases regulatory obligation procedures, because the right technology grants more time to compile information and form sound suspicions when red flags arise.


BNDRY Smart Forms are designed to make this traditionally hard step easy, by creating a secure and centralised workspace to request, collect and collaborate on customer due diligence.


Features of the BNDRY platform:

  • Smart Forms collects and verifies customer information (DVS, ID documents, risk category).
  • Determines customer risk scores, what actions have been taken and what’s overdue.
  • Simplifies reporting for Suspicious Matter Reports (SMRs).
  • Stores customer records through document uploads in a centralised data hub.


A solid KYC program helps businesses identify any financial crime risks customers may bring to the business which, of course, benefits the overall company profile and protects the company’s reputation. Regulatory obligations are expected to be embedded into everyday business practices and with the right technology, businesses can stay ahead of AML/CTF tasks and reporting duties.

Part 4: Understanding How to Report to AUSTRAC

Reforms recap

The Tranche 2 reforms emphasise the need for stronger compliance measures to combat the serious problem that money laundering and terrorism financing poses to Australian businesses. New reporting entities have been assigned to help gather intelligence because they’re the prime targets for financial crime and the best way to spot bad actors.


DNFBPs are expected to report into AUSTRAC when they weren’t previously required to because:

  • Financial crime is on the rise costing Australia $68.7 billion annually.
  • Businesses that move money have become targets for terrorism financing and money laundering.
  • AUSTRAC needs help gathering intelligence to fight financial crime.

Show me the data! Or, what to report to AUSTRAC

What your business reports on is determined by your activity, but don’t worry, you don’t have to submit all reports, all the time.


The types of reports you may need to submit are:

  • Suspicious Matter Reports (SMR): When you reasonably suspect a customer or affiliate is not who they claim or a transaction is linked to criminal activity or proceeds of crime.
  • Threshold Transaction Reports (TTR): For individual physical currency transactions valued at A$10,000 or higher.
  • International Value Transfer Service Reports (IVTS): All international transfers of value transactions including money, virtual assets and other property.
  • Cross Border Movement Reports (CBM): When carrying physical currency or bearer negotiable instruments such as checks, traveler's checks and money orders, payable to bearer valued at A$10,000 or higher into or out of Australia.
  • Annual Compliance Reports: Annual report summarising how you’ve met your AML/CTF obligations in the previous year.


Additionally, businesses must keep records of all transactions, customer identification and information about their AML/CTF program and associated activities for seven years. This ensures you stay compliant and helps in the detection of financial crime.


Detailed information in each report and record keeping duties can be found on AUSTRAC’s website.

5. Storing and Managing Customer Data

Expect the unexpected

Let’s assume you’ve got your AML/CTF program in place: you’ve reviewed and improved risk oversight to the business, assessed your CDD obligations and trained employees on the Tranche 2 reforms and associated duties. Then a red flag appears against a customer, one you’ve been in a relationship with for years, but you’re struggling to gather their data because it’s stored in various places.


The Financial Action Task Force (FATF) states how technology helps “minimise weaknesses in human control measures”. The old manual approach is no longer viable and companies are looking toward new technologies to help manage and securely control their data, especially sensitive KYC data.


The BNDRY platform is purpose-built to help regulated entities, including new Tranche 2 reporting entities, manage their new AML/CTF responsibilities with less friction and more confidence.


BNDRY automates business workflows by pushing data into a centralised hub for easy retrieval and reporting:

  • Consolidated Entities: consolidate customer data and risk-related information into a unified profile. This makes it easy to retrieve customer information when preparing Suspicious Matter Reports.
  • Investigation Workspaces: capture red flags, attach evidence, document unusual matters and collaborate internally to investigate potential suspicion. Create an auditable case file to gather intelligence required to populate an SMR.
  • Regulatory Reporting Workflows Built-in: populate and generate reports for all AUSTRAC reports, including SMR and TTR reports. Populate them using BNDRY’s built-in AUSTRAC forms, or configure automations that transform your existing data into AUSTRAC-ready files.
  • Audit-ready Record-keeping: store all AML/CTF-related documents (customer ID records, transaction activity, investigations and reports) in one place that are easily retrieved for audits or reporting.


AML/CTF obligations don't have to feel painful, it's simply a matter of knowing what's expected from your business and having systems in place to help with your regulatory compliance.

The wrap up

With Australia’s AML/CTF reforms coming into effect by July 2026, designated non-financial businesses and professions (DNFBPs) must be ready to comply with stricter anti-money laundering and counter-terrorism financing laws.


To avoid legal risk, reputational damage and operational disruption, businesses should act now. Preparing involves understanding how your business could be targeted by financial crime, conducting a thorough risk assessment, cleansing and securing company data, training staff and implementing or enhancing Know Your Customer (KYC) and Customer Due Diligence (CDD) procedures.


Monitoring customer behavior, identifying suspicious transactions and ensuring accurate reporting to AUSTRAC are all critical components of compliance. With the right technology and systems, businesses can embed compliance into everyday operations, making it a seamless part of business-as-usual rather than a disruptive obligation.


Financial crime isn’t going to disappear and ignoring this reality may be costly to both your business and the wider community. If you want to minimise the impact the AML/CTF regulations may have on your business, BNDRY’s here to help.


Need help with your AML/CTF obligations?

Talk Nerdy To Us